APT 33: Elfin, MAGNALLIUM, Refined Kitten,
HOLMIUM, COBALT TRINITY, G0064, ATK35
Multi-staged attacks using weaponized documents, known
productivity software vulnerabilities, and PowerShell backdoors,
are often launched from domains resembling legitimate business
services.

Our assessment is as follows. We advise a High Probability that
APT 33 will launch PowerShell Attacks from the following
domains.

In a recent wave of attacks in February 2019, Elfin attempted to exploit a known vulnerability (CVE2018-20250) in WinRAR, the widely used file archiving and compression utility capable of creating selfextracting archives files. The exploit was used against one target in the chemical sector in Saudi Arabia.
If successfully exploited on an unpatched computer, the vulnerability could permit an attacker to install
any file on the computer, which effectively permits code execution on the targeted computer.
Two users in the targeted organization received a file called "JobDetails.rar", which attempted to exploit
the WinRAR vulnerability. This file was likely delivered via a spear-phishing email. However, prior to this
attempted attack, Symantec had rolled out proactive protection against any attempt to exploit this
vulnerability (Exp.CVE-2018-20250). This protection successfully protected the targeted organization
from being compromised.

APT33 registered multiple domains that masquerade as Saudi Arabian aviation companies
and Western organizations that together have partnerships to provide training,
maintenance and support for Saudi’s military and commercial fleet. Based on observed
targeting patterns, APT33 likely used these domains in spear phishing emails to target
victim organizations.
The following domains masquerade as these organizations: Boeing, Alsalam Aircraft
Company, Northrop Grumman Aviation Arabia (NGAAKSA), and Vinnell Arabia.

APT 33:

Elfin, MAGNALLIUM, Refined Kitten, HOLMIUM, COBALT TRINITY, G0064,

ATK35

Our assessment is as follows. APT33 if engaged; high probability
of deploying malicious drive-wiping malware. High confidence
that StoneDrill will be the preferred tool given the historical
context cited below.

StoneDrill: We’ve Found New Powerful ‘Shamoon-ish’ Wiper Malware
– and It’s Serious. | Nota Bene: Eugene Kaspersky’s Official
Blog

StoneDrill is wiper malware discovered in destructive campaigns
against both Middle Eastern and European targets in association
with APT33.

While investigating the Shamoon 2.0 attacks, Kaspersky Lab also
discovered a previously unknown wiper malware which appears to
be targeting organizations in Saudi Arabia. We’re calling this
new wiper StoneDrill. StoneDrill has several “style”
similarities to Shamoon, with multiple interesting factors and
techniques to allow for the better evasion of detection. In
addition to suspected Saudi targets, one victim of StoneDrill
was observed on the Kaspersky Security Network (KSN) in Europe.
This makes us believe the threat actor behind StoneDrill is
expanding its wiping operations from the Middle East to Europe.
To summarize some of the characteristics of the new wiper
attacks, for both Shamoon and StoneDrill:
● Shamoon 2.0 includes a fully functional ransomware module, in
addition to its common wiping functionality.
● Shamoon 2.0 has both 32-bit and 64-bit components.
● The Shamoon samples we analyzed in January 2017 do not
implement any command and control (C&C) communication; previous
ones included a basic C&C functionality that referenced local
servers in the victim’s network.
● StoneDrill makes heavy use of evasion techniques to avoid
sandbox execution.
● While Shamoon embeds Arabic-Yemen resource language sections,
StoneDrill embeds mostly Persian resource language sections. Of
course, we do not exclude the possibility of false flags.
● StoneDrill does not use drivers during deployment (unlike
Shamoon) but relies on memory injection of the wiping module
into the victim’s preferred browser.
● Several similarities exist between Shamoon and StoneDrill.

● Multiple similarities were found between StoneDrill and
previously analysed NewsBeef attacks.

Kaspersky Labs FROM SHAMOON TO STONEDRILL Wipers attacking Saudi
organizations and beyond Version 1.05 2017-03-07
Report_Shamoon_StoneDrill_final.pdf (kasperskycontenthub.com)

Most recent event related to Shamoon / StoneDrill

Saipem says Shamoon variant crippled
hundreds of computers -

DECEMBER 12, 20181:02 PMUPDATED 4 YEARS AGO

Techniques Used
T1059 - Command and Scripting Interpreter
T1485 - Data Destruction
T1561 - Disk Wipe, Disk Content Wipe, Disk Wipe, Disk Structure
Wipe
T1070 - Indicator Removal on Host, File Deletion
T1105 - Ingress Tool Transfer
T1027 - Obfuscated Files or Information
T1055 - Process Injection
T1012 - Query Registry
T1113 - Screen Capture
T1518 - Software Discovery, Security Software Discovery
T1082 - System Information Discovery
T1124 - System Time Discovery

T1497 - Virtualization/Sandbox Evasion
T1047 - Windows Management Instrumentation

StoneDrill, Software S0380 | MITRE ATT&CK®

Indicators of Compromise (IOC):
StoneDrill MD5s

ac3c25534c076623192b9381f926ba0d
0ccc9ec82f1d44c243329014b82d3125
8e67f4c98754a2373a49eaf53425d79a
fb21f3cea1aa051ba2a45e75d46b98b8
StoneDrill C2s

www.eservic[.]com
www.securityupdated[.]com
www.actdire[.]com
www.chromup[.]com

From Shamoon to StoneDrill | Securelist

Further Reading: StoneDrill - Pulsedive

In addition to its custom malware, Elfin has also used several commodity malware tools, available for
purchase on the cyber underground. These include:
•

Remcos (Backdoor.Remvio): A commodity remote administration tool (RAT) that can be used to
steal information from an infected computer.
• DarkComet (Backdoor.Breut): Another commodity RAT used to open a backdoor on an infected
computer and steal information.
• Quasar RAT (Trojan.Quasar): Commodity RAT that can be used to steal passwords and execute
commands on an infected computer.
• Pupy RAT (Backdoor.Patpoopy): Commodity RAT that can open a backdoor on an infected
computer.
• NanoCore (Trojan.Nancrat): Commodity RAT used to open a backdoor on an infected computer
and steal information.
• NetWeird (Trojan.Netweird.B): A commodity Trojan which can open a backdoor and steal
information from the compromised computer. It may also download additional potentially
malicious files.

Protection/Mitigation
Symantec has the following protection in place to protect customers against these attacks:
File-based protection
•
•
•
•
•
•
•
•
•
•
•
•

Backdoor.Notestuk
Trojan.Stonedrill
Backdoor.Remvio
Backdoor.Breut
Trojan.Quasar
Backdoor.Patpoopy
Trojan.Nancrat
Trojan.Netweird.B
Exp.CVE-2018-20250
SecurityRisk.LaZagne
Hacktool.Mimikatz
SniffPass

Indicators of Compromise (IOC)
SHA2
5798aefb07e12a942672a60c2be101dc26b01485
616713e8be1f68b321747f2f
a67461a0c14fc1528ad83b9bd874f53b7616cfed9
9656442fb4d9cdd7d09e449
f2943f5e45befa52fb12748ca7171d30096e1d4fc3
c365561497c618341299d5
87e2cf4aa266212aa8cf1b1c98ae905c7bac40a6fc
21b8e821ffe88cf9234586
709df1bbd0a5b15e8f205b2854204e8caf63f7820
3e3b595e0e66c918ec23951
a23c182349f17398076360b2cb72e81e5e235893
51d3a6af59a27e1d552e1ec0
0b3610524ff6f67c59281dbf4a24a6e8753b965c1
5742c8a98c11ad9171e783d
d5262f1bc42d7d5d0ebedadd8ab90a88d562c7a9
0ff9b0aed1b3992ec073e2b0
ae1d75a5f87421953372e79c081e4b0a929f65841
ed5ea0d380b6289e4a6b565
e999fdd6a0f5f8d1ca08cf2aef47f5ddc0ee75879c6
f2c1ee23bc31fb0f26c70
018360b869d8080cf5bcca1a09eb8251558378eb
6479d8d89b8c80a8e2fa328c
367e78852134ef488ecf6862e71f70a3b10653e64
2bda3df00dd012c4e130330
ea5295868a6aef6aac9e117ef128e9de107817cc6
9e75f0b20648940724880f3
6401abe9b6e90411dc48ffc863c40c9d9b073590a
8014fe1b0e6c2ecab2f7e18
bf9c589de55f7496ff14187b1b5e068bd104396c2
3418a18954db61450d21bab
af41e9e058e0a5656f457ad4425a299481916b6cf
5e443091c7a6b15ea5b3db3
c7a2559f0e134cafbfc27781acc51217127a7739c6
7c40135be44f23b3f9d77b
99c1228d15e9a7693d67c4cb173eaec61bdb3e3ef
dd41ee38b941e733c7104f8
94526e2d1aca581121bd79a699a3bf5e4d91a4f28
5c8ef5ab2ab6e9e44783997
dedfbc8acf1c7b49fb30af35eda5e23d3f7a202585
a5efe82ea7c2a785a95f40

Description
Notestuk/TURNEDUP
AutoIt backdoor
Gpppassword
LaZagne
LaZagne
Quasar RAT
Quasar RAT
Quasar RAT
Remcos
Remcos
Remcos
Remcos
Remcos
SniffPass
DarkComet
DarkComet
AutoIt FTP tool
.NET FTP tool
PowerShell downloader (registry.ps1)
POSHC2 backdoor
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